From owner-freebsd-net@FreeBSD.ORG Mon Feb 9 21:22:22 2015 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6CF2AE47; Mon, 9 Feb 2015 21:22:22 +0000 (UTC) Received: from mail.myota.org (mail.myota.org [85.10.206.105]) by mx1.freebsd.org (Postfix) with ESMTP id D1D9DEC; Mon, 9 Feb 2015 21:22:21 +0000 (UTC) Received: from mobile.client (224.136.167.190.d.dyn.codetel.net.do [190.167.136.224] (may be forged)) (authenticated bits=128) by mail.myota.org (8.14.9/8.14.9) with ESMTP id t19LLuQF011215; Mon, 9 Feb 2015 22:22:00 +0100 (CET) (envelope-from andre@fbsd.ata.myota.org) Received: from submit.client ([127.0.0.1]) by schlappy.local (8.14.9/8.14.9) with ESMTP id t19LLVPE032673; Mon, 9 Feb 2015 22:21:33 +0100 (CET) (envelope-from andre@fbsd.ata.myota.org) Received: (from user@localhost) by schlappy.local (8.14.9/8.14.9/Submit) id t19LLVWE032672; Mon, 9 Feb 2015 22:21:31 +0100 (CET) (envelope-from andre@fbsd.ata.myota.org) Date: Mon, 9 Feb 2015 22:21:31 +0100 From: Andre Albsmeier To: Freddie Cash Subject: Re: Problems with IP fragments (was: Problems with DNSSEC -- answer in fragmented UDP doesn't work) Message-ID: <20150209212131.GA32613@schlappy> References: <54C918D2.7090805@FreeBSD.org> <54C91E80.7020407@infracaninophile.co.uk> <54C92222.6000201@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Echelon: Secret, anarchy, UHF, S/Key, Compsec X-Advice: Drop that crappy M$-Outlook, I'm tired of your viruses! User-Agent: Mutt/1.5.21 (2010-09-15) X-Greylist: Not delayed on 85.10.206.105, ACL: AUTH(59), Origin: DO, OS: FreeBSD 9.x or newer X-Virus-Scanned: clamav-milter 0.98.6 at colo X-Virus-Status: Clean Cc: freebsd-net , lev@freebsd.org, Matthew Seaman X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Feb 2015 21:22:22 -0000 On Wed, 28-Jan-2015 at 10:04:57 -0800, Freddie Cash wrote: > On Wed, Jan 28, 2015 at 9:53 AM, Lev Serebryakov wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA512 > > > > On 28.01.2015 20:38, Matthew Seaman wrote: > > > > > What do you get if you run the reply size test at DNS-OARC ? > > > > > > https://www.dns-oarc.net/oarc/services/replysizetest > > 0 lines (empty answer) at CURRENT, only "rst.x1013.rs.dns-oarc.net." > > on 9.3. > > > > Looks like "IP Fragments Filtered", but I don't understand — why and > > where?! > > > > I'm using ipfw on both hosts, but I don't have any special rules > > about IP fragments at all! And as these systems are in completely > > different networks, with different uplinks and FreeBSD versions! > > > > ​IPFW doesn't deal with IP fragment reassembly by default. > > You can add something like the following to the start of the IPFW ruleset > to work around it (one for each NIC): > > ​$IPFW add reass ip from any to any in recv $NIC0 > ​$IPFW add reass ip from any to any in recv $NIC1 The ipfw man page says: Usually a simple rule like: # reassemble incoming fragments ipfw add reass all from any to any in is all you need at the beginning of your ruleset. However, I could never make this work. It eats all fragments but the resulting final packet never makes it. I am back to ipfw -q add 1 pass udp from any to $myip frag in recv $ifc as I need it only for UDP. Frag reassembly in pf works well on the other hand... -Andre > ... > > -- > Freddie Cash > fjwcash@gmail.com > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" -- A fool with a tool is still a fool.